Parameterized Filter Match Conditions for IPv4 Traffic
You can configure a parameterized filter with match conditions
for Internet Protocol version 4 (IPv4) traffic (family inet
).
For MX Series routers with MPCs, you need to initialize
certain new firewall filters by walking the corresponding SNMP MIB,
for example, show snmp mib walk name ascii
. This forces Junos to learn the filter counters and ensure that
the filter statistics are displayed. This guidance applies to all
enhanced mode firewall filters, filters with flexible conditions,
and filters with certain terminating actions. See those topics, listed
under Related Documentation, for details.
Table 1 describes the match-conditions
you
can configure at the [edit firewall family inet filter filter-name term term-name from]
hierarchy level.
Match Condition |
Description |
---|---|
|
Match the IPv4 source or destination address
field unless the |
|
Match the IPv4 destination address field unless
the You cannot specify both the |
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the following text synonyms (the port numbers are also
listed): |
|
Do not match the UDP or TCP destination port
field. For details, see the |
|
Match destination prefixes in the specified
list unless the Specify the name of a prefix list defined at the |
|
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. Starting in Junos OS Release 13.3R7, support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE). Subsequently, when upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
Do not match on the DSCP number. For more
information, see the |
|
Match the forwarding class of the packet. Specify For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|
Do not match the forwarding class of the packet.
For details, see the |
|
Match the ICMP message code field. If you configure this match
condition, we recommend that you also configure the If you configure this match condition,
you must also configure the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
Do not match the ICMP message code field.
For details, see the |
|
Match the ICMP message type field. If you configure this match
condition, we recommend that you also configure the In place of the numeric value, you can
specify one of the following text synonyms (the field values are also
listed): |
|
Do not match the ICMP message type field.
For details, see the |
|
Match the packet loss priority (PLP) level. Specify a single level or multiple levels: For IP traffic on MX Series routers with Enhanced II Flexible
PIC Concentrators (FPCs), you must include the For information about the |
|
Do not match the PLP level. For details, see the |
|
Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. |
|
Do not match the length of the received packet,
in bytes. For details, see the |
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you
cannot configure the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the text synonyms listed under the |
|
Do not match either the source or destination
UDP or TCP port field. For details, see the |
|
Match the IP precedence field. In place of the numeric field value, you can specify one of
the following text synonyms (the field values are also listed): |
|
Do not match the IP precedence field. In place of the numeric field value, you can specify one of
the following text synonyms (the field values are also listed): |
|
Match the prefixes of the source or destination
address fields to the prefixes in the specified list
unless the The prefix list is defined at the |
|
Match the IP protocol type field. In place
of the numeric value, you can specify one of the following text synonyms
(the field values are also listed): |
|
Do not match the IP protocol type field. In
place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed): |
|
Match a packet received from a filter where
a |
|
Match the IPv4 address of the source node
sending the packet unless the You cannot specify both the |
|
Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. |
|
Do not match one or more specified source class names.
For details, see the |
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the In place of the numeric value, you can
specify one of the text synonyms listed with the |
|
Do not match the UDP or TCP source
port field. For details, see the |
|
Match source prefixes in the specified list
unless the Specify the name of a prefix list defined at the |
|
Match the IPv4 time-to-live number. Specify
a TTL value or a range of TTL values. For |
|
Do not match on the IPv4 TTL number. For details,
see the |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.